1243730Srwatson/*-
2243730Srwatson * Copyright (c) 2012 The FreeBSD Foundation
3243730Srwatson * All rights reserved.
4243730Srwatson *
5243730Srwatson * This software was developed by Pawel Jakub Dawidek under sponsorship from
6243730Srwatson * the FreeBSD Foundation.
7243730Srwatson *
8243730Srwatson * Redistribution and use in source and binary forms, with or without
9243730Srwatson * modification, are permitted provided that the following conditions
10243730Srwatson * are met:
11243730Srwatson * 1. Redistributions of source code must retain the above copyright
12243730Srwatson *    notice, this list of conditions and the following disclaimer.
13243730Srwatson * 2. Redistributions in binary form must reproduce the above copyright
14243730Srwatson *    notice, this list of conditions and the following disclaimer in the
15243730Srwatson *    documentation and/or other materials provided with the distribution.
16243730Srwatson *
17243730Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
18243730Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19243730Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20243730Srwatson * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
21243730Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22243730Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23243730Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24243730Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25243730Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26243730Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27243730Srwatson * SUCH DAMAGE.
28243730Srwatson *
29243734Srwatson * $P4: //depot/projects/trustedbsd/openbsm/bin/auditdistd/sandbox.c#3 $
30243730Srwatson */
31243730Srwatson
32243734Srwatson#include <config/config.h>
33243730Srwatson
34243730Srwatson#include <sys/param.h>
35243730Srwatson#ifdef HAVE_JAIL
36243730Srwatson#include <sys/jail.h>
37243730Srwatson#endif
38243730Srwatson#ifdef HAVE_CAP_ENTER
39243730Srwatson#include <sys/capability.h>
40243730Srwatson#endif
41243730Srwatson
42243730Srwatson#include <errno.h>
43243730Srwatson#include <pwd.h>
44243730Srwatson#include <stdarg.h>
45243730Srwatson#include <stdbool.h>
46243730Srwatson#include <stdio.h>
47243730Srwatson#include <stdlib.h>
48243730Srwatson#include <strings.h>
49243730Srwatson#include <unistd.h>
50243730Srwatson
51243734Srwatson#include "pjdlog.h"
52243730Srwatson#include "sandbox.h"
53243730Srwatson
54243730Srwatsonstatic int
55243730Srwatsongroups_compare(const void *grp0, const void *grp1)
56243730Srwatson{
57243730Srwatson	gid_t gr0 = *(const gid_t *)grp0;
58243730Srwatson	gid_t gr1 = *(const gid_t *)grp1;
59243730Srwatson
60243730Srwatson	return (gr0 <= gr1 ? (gr0 < gr1 ? -1 : 0) : 1);
61243730Srwatson
62243730Srwatson}
63243730Srwatson
64243730Srwatsonint
65243730Srwatsonsandbox(const char *user, bool capsicum, const char *fmt, ...)
66243730Srwatson{
67243730Srwatson#ifdef HAVE_JAIL
68243730Srwatson	struct jail jailst;
69243730Srwatson	char *jailhost;
70243730Srwatson	va_list ap;
71243730Srwatson#endif
72243730Srwatson	struct passwd *pw;
73243730Srwatson	uid_t ruid, euid;
74243730Srwatson	gid_t rgid, egid;
75243730Srwatson#ifdef HAVE_GETRESUID
76243730Srwatson	uid_t suid;
77243730Srwatson#endif
78243730Srwatson#ifdef HAVE_GETRESGID
79243730Srwatson	gid_t sgid;
80243730Srwatson#endif
81243730Srwatson	gid_t *groups, *ggroups;
82243730Srwatson	bool jailed;
83243730Srwatson	int ngroups, ret;
84243730Srwatson
85243730Srwatson	PJDLOG_ASSERT(user != NULL);
86243730Srwatson	PJDLOG_ASSERT(fmt != NULL);
87243730Srwatson
88243730Srwatson	ret = -1;
89243730Srwatson	groups = NULL;
90243730Srwatson	ggroups = NULL;
91243730Srwatson
92243730Srwatson	/*
93243730Srwatson	 * According to getpwnam(3) we have to clear errno before calling the
94243730Srwatson	 * function to be able to distinguish between an error and missing
95243730Srwatson	 * entry (with is not treated as error by getpwnam(3)).
96243730Srwatson	 */
97243730Srwatson	errno = 0;
98243730Srwatson	pw = getpwnam(user);
99243730Srwatson	if (pw == NULL) {
100243730Srwatson		if (errno != 0) {
101243730Srwatson			pjdlog_errno(LOG_ERR,
102243730Srwatson			    "Unable to find info about '%s' user", user);
103243730Srwatson			goto out;
104243730Srwatson		} else {
105243730Srwatson			pjdlog_error("'%s' user doesn't exist.", user);
106243730Srwatson			errno = ENOENT;
107243730Srwatson			goto out;
108243730Srwatson		}
109243730Srwatson	}
110243730Srwatson
111243730Srwatson	ngroups = sysconf(_SC_NGROUPS_MAX);
112243730Srwatson	if (ngroups == -1) {
113243730Srwatson		pjdlog_errno(LOG_WARNING,
114243730Srwatson		    "Unable to obtain maximum number of groups");
115243730Srwatson		ngroups = NGROUPS_MAX;
116243730Srwatson	}
117243730Srwatson	ngroups++;	/* For base gid. */
118243730Srwatson	groups = malloc(sizeof(groups[0]) * ngroups);
119243730Srwatson	if (groups == NULL) {
120243730Srwatson		pjdlog_error("Unable to allocate memory for %d groups.",
121243730Srwatson		    ngroups);
122243730Srwatson		goto out;
123243730Srwatson	}
124243730Srwatson	if (getgrouplist(user, pw->pw_gid, groups, &ngroups) == -1) {
125243730Srwatson		pjdlog_error("Unable to obtain groups of user %s.", user);
126243730Srwatson		goto out;
127243730Srwatson	}
128243730Srwatson
129243730Srwatson#ifdef HAVE_JAIL
130243730Srwatson	va_start(ap, fmt);
131243730Srwatson	(void)vasprintf(&jailhost, fmt, ap);
132243730Srwatson	va_end(ap);
133243730Srwatson	if (jailhost == NULL) {
134243730Srwatson		pjdlog_error("Unable to allocate memory for jail host name.");
135243730Srwatson		goto out;
136243730Srwatson	}
137243730Srwatson	bzero(&jailst, sizeof(jailst));
138243730Srwatson	jailst.version = JAIL_API_VERSION;
139243730Srwatson	jailst.path = pw->pw_dir;
140243730Srwatson	jailst.hostname = jailhost;
141243730Srwatson	if (jail(&jailst) >= 0) {
142243730Srwatson		jailed = true;
143243730Srwatson	} else {
144243730Srwatson		jailed = false;
145243730Srwatson		pjdlog_errno(LOG_WARNING,
146243730Srwatson		    "Unable to jail to directory %s", pw->pw_dir);
147243730Srwatson	}
148243730Srwatson	free(jailhost);
149243730Srwatson#else	/* !HAVE_JAIL */
150243730Srwatson	jailed = false;
151243730Srwatson#endif	/* !HAVE_JAIL */
152243730Srwatson
153243730Srwatson	if (!jailed) {
154243730Srwatson		if (chroot(pw->pw_dir) == -1) {
155243730Srwatson			pjdlog_errno(LOG_ERR,
156243730Srwatson			    "Unable to change root directory to %s",
157243730Srwatson			    pw->pw_dir);
158243730Srwatson			goto out;
159243730Srwatson		}
160243730Srwatson	}
161243730Srwatson	PJDLOG_VERIFY(chdir("/") == 0);
162243730Srwatson
163243730Srwatson	if (setgroups(ngroups, groups) == -1) {
164243730Srwatson		pjdlog_errno(LOG_ERR, "Unable to set groups");
165243730Srwatson		goto out;
166243730Srwatson	}
167243730Srwatson	if (setgid(pw->pw_gid) == -1) {
168243730Srwatson		pjdlog_errno(LOG_ERR, "Unable to set gid to %u",
169243730Srwatson		    (unsigned int)pw->pw_gid);
170243730Srwatson		goto out;
171243730Srwatson	}
172243730Srwatson	if (setuid(pw->pw_uid) == -1) {
173243730Srwatson		pjdlog_errno(LOG_ERR, "Unable to set uid to %u",
174243730Srwatson		    (unsigned int)pw->pw_uid);
175243730Srwatson		goto out;
176243730Srwatson	}
177243730Srwatson
178243730Srwatson#ifdef HAVE_CAP_ENTER
179243730Srwatson	if (capsicum) {
180243730Srwatson		capsicum = (cap_enter() == 0);
181243730Srwatson		if (!capsicum) {
182243730Srwatson			pjdlog_common(LOG_DEBUG, 1, errno,
183243730Srwatson			    "Unable to sandbox using capsicum");
184243730Srwatson		}
185243730Srwatson	}
186243730Srwatson#else	/* !HAVE_CAP_ENTER */
187243730Srwatson	capsicum = false;
188243730Srwatson#endif	/* !HAVE_CAP_ENTER */
189243730Srwatson
190243730Srwatson	/*
191243730Srwatson	 * Better be sure that everything succeeded.
192243730Srwatson	 */
193243730Srwatson#ifdef HAVE_GETRESUID
194243730Srwatson	PJDLOG_VERIFY(getresuid(&ruid, &euid, &suid) == 0);
195243730Srwatson	PJDLOG_VERIFY(suid == pw->pw_uid);
196243730Srwatson#else
197243730Srwatson	ruid = getuid();
198243730Srwatson	euid = geteuid();
199243730Srwatson#endif
200243730Srwatson	PJDLOG_VERIFY(ruid == pw->pw_uid);
201243730Srwatson	PJDLOG_VERIFY(euid == pw->pw_uid);
202243730Srwatson#ifdef HAVE_GETRESGID
203243730Srwatson	PJDLOG_VERIFY(getresgid(&rgid, &egid, &sgid) == 0);
204243730Srwatson	PJDLOG_VERIFY(sgid == pw->pw_gid);
205243730Srwatson#else
206243730Srwatson	rgid = getgid();
207243730Srwatson	egid = getegid();
208243730Srwatson#endif
209243730Srwatson	PJDLOG_VERIFY(rgid == pw->pw_gid);
210243730Srwatson	PJDLOG_VERIFY(egid == pw->pw_gid);
211243730Srwatson	PJDLOG_VERIFY(getgroups(0, NULL) == ngroups);
212243730Srwatson	ggroups = malloc(sizeof(ggroups[0]) * ngroups);
213243730Srwatson	if (ggroups == NULL) {
214243730Srwatson		pjdlog_error("Unable to allocate memory for %d groups.",
215243730Srwatson		    ngroups);
216243730Srwatson		goto out;
217243730Srwatson	}
218243730Srwatson	PJDLOG_VERIFY(getgroups(ngroups, ggroups) == ngroups);
219243730Srwatson	qsort(groups, (size_t)ngroups, sizeof(groups[0]), groups_compare);
220243730Srwatson	qsort(ggroups, (size_t)ngroups, sizeof(ggroups[0]), groups_compare);
221243730Srwatson	PJDLOG_VERIFY(bcmp(groups, ggroups, sizeof(groups[0]) * ngroups) == 0);
222243730Srwatson
223243730Srwatson	pjdlog_debug(1,
224243730Srwatson	    "Privileges successfully dropped using %s%s+setgid+setuid.",
225243730Srwatson	    capsicum ? "capsicum+" : "", jailed ? "jail" : "chroot");
226243730Srwatson
227243730Srwatson	ret = 0;
228243730Srwatsonout:
229243730Srwatson	if (groups != NULL)
230243730Srwatson		free(groups);
231243730Srwatson	if (ggroups != NULL)
232243730Srwatson		free(ggroups);
233243730Srwatson	return (ret);
234243730Srwatson}
235